Drupal

SECURITY UPDATE: Drupal Security Vulnerability (PSA-2014-003) – Our Recommendations

UPDATE October, 30 7:00 am CST

The Drupal Core Team has released a highly critical public service announcement – PSA-2014-003.

We recommend the following steps for all Drupal users (including those, that updated to Drupal 7.32 on October 16):

  • Check if new users have been created.
  • Check and delete all users that you can not explicitly identify.
  • Reset the passwords for all users.

As a 1&1 customer: If you have any questions, please contact our support team at:
1-866-991-2631 or support@1and1.com (available 24/7).

If you want to start with a clean Drupal install to import a backup dated October 14 or older, you can do this quickly using Click & Build Free Mode.


Additional Info (October 16, 2014)

The latest version of Drupal (7.32) includes a fix for the security vulnerability (CVE-2014-3704) of the 7.31 version.

1&1 customers can install this update from the 1&1 App Center starting October 16th.

Free Mode and own installations: Please update as soon as possible!

You can update your installation in two ways:

  • Upgrade from version 7.31 to 7.32 (recommended) or
  • If you cannot update the whole installation, apply this patch to the Drupal’s database.inc file:
    1. Open the file database.inc with your favorite tool on your web space. The path to this file is: “DRUPAL INSTALL DIR”/includes/database
    2. Go to the line (~ 739) and replace:
      foreach ($data as $i => $value) {
      with:
      foreach (array_values($data) as $i => $value) {
    3. Save the file.
    4. Synchronize this file back to your webspace (via SFTP or SCP).

The security vulnerability is now fixed.

See also the official link for this issue.

 

Please rate this post :

Leave a Reply

Your email address will not be published. Required fields are marked *